* iptables in container, wrong log destination, need pointer
@ 2010-02-11 14:32 Jean-Marc Pigeon
[not found] ` <1265898746.19130.119.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: Jean-Marc Pigeon @ 2010-02-11 14:32 UTC (permalink / raw)
To: Linux Containers
Hello,
I have containerized syslog, such each container has its
own syslog.
Container can have their own set of iptables rules.
I was expecting CONT: iptables log report to be
send to the CONT: syslog, which is not the case,
they are rather sent to HOST: syslog.
This means to me, iptables rules are containerized,
but the execution is NOT (CONT: rules are checked
within the HOST: context, not the CONT: context).
Could somebody give me hint where I should look
in the code, to have a better understanding about
what is happening?
--
A bientôt
==========================================================================
Jean-Marc Pigeon Internet: jmp@safe.ca
SAFE Inc. Phone: (514) 493-4280
Fax: (514) 493-1946
Clement, 'a kiss solution' to get rid of SPAM (at last)
Clement' Home base <"http://www.clement.safe.ca">
==========================================================================
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: iptables in container, wrong log destination, need pointer
[not found] ` <1265898746.19130.119.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
@ 2010-02-11 17:51 ` Serge E. Hallyn
0 siblings, 0 replies; 2+ messages in thread
From: Serge E. Hallyn @ 2010-02-11 17:51 UTC (permalink / raw)
To: Jean-Marc Pigeon; +Cc: Linux Containers
Quoting Jean-Marc Pigeon (jmp-4qkeo2rQ0gg@public.gmane.org):
> Hello,
>
>
> I have containerized syslog, such each container has its
> own syslog.
>
> Container can have their own set of iptables rules.
>
> I was expecting CONT: iptables log report to be
> send to the CONT: syslog, which is not the case,
> they are rather sent to HOST: syslog.
>
> This means to me, iptables rules are containerized,
> but the execution is NOT (CONT: rules are checked
> within the HOST: context, not the CONT: context).
>
> Could somebody give me hint where I should look
> in the code, to have a better understanding about
> what is happening?
Again, printk can be called from any context, so you can't
rely on 'current'. But you are relying on current in
emit_log_char() to get the syslog_ns. That is why you're
getting that.
You're going to have to keep a separate container_printk
(nsprintk) which is called with a syslog_ns. Then in
functions where you know you can determine the syslog_ns,
you can call that fn instead of printk and pass the ns.
Note that since iptables printks are happening out of
context, this means yet another problem: you'll need to
have a way to get the syslog_ns from the netns, which
I suspect is the only thing can track at that point.
-serge
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-02-11 17:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-11 14:32 iptables in container, wrong log destination, need pointer Jean-Marc Pigeon
[not found] ` <1265898746.19130.119.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-02-11 17:51 ` Serge E. Hallyn
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.